CSAW CTF 2014 - Exploitation 400 - saturn

Introduction

This exploitation challenge is based on a Challenge-Response-Authentication-Protocol system.The goal was to figure out a way to get challenges responses without the challenge-response keygen algorithm.

Running the binary

Since we don't have the challenge-response keygen algorithm (libchallengeresponse.so) we can create a decoy one.

The vulnerability

The challenges are stored from 0x0804A0C0 to 0x0804A0DF, the responses are stored from 0x0804A0E0 to 0x0804A0F.If we send 0xA0 to the server we get the first challenge, if we send 0xA2 we get the third challenge.

During a challenge request the lowest byte value is multiplied by 4. It represents the offset to step to the next 32 bit value.The vulnerability lies in the fact that we can manipulate the offset from 0x00 to 0x0F in a challenge request.

The program expect the client to request challenge from 0xA0 to 0xA7.

If the client sends 0xA8 the query is valid and the first response is sent back.